Mozilla released two consecutive security advisories to address the vulnerabilities in Firefox and Firefox ESR. The latter is a critical advisory claiming that Mozilla is aware of in-the-wild attacks for a type confusion vulnerability. However, there are no details about the specific threat actor(s) abusing the aforementioned vulnerability.
Mozilla’s release of Firefox version 72 includes protection against browser fingerprinting. Browser fingerprinting is an incredibly accurate method that allows the identification of browsers and tracking of online activity. This method can also be used by websites to collect information such as browser type and version, operating system version, active plugins, timezone, screen resolution, etc. Mozilla states that
"Firefox 72 protects users against fingerprinting by blocking all third-party requests to companies that are known to participate in fingerprinting."
Mozilla Firefox Zero-Day: CVE-2019-17026
Vulnerabilities fixed in MFSA (2020-01 and 2020-02)
Five vulnerabilities in Firefox and four in Firefox ESR were regarded high in severity. A summary of these high severity vulnerabilities is given below:
CVE-2019-17015: A memory corruption bug that arises in the parent process during new content process initialization on Windows. An attacker can manipulate a pointer offset to cause memory corruption and a potentially exploitable crash in the parent process.
CVE-2019-17016: This flaw exists because the CSS sanitizer incorrectly rewrites a @namespace rule when pasting a
<style>tag from the clipboard into a rich text editor, which allows injection in certain websites. An attacker could exploit this vulnerability to exfiltrate data.
CVE-2019-17017: A type confusion issue in XPCVariant.cpp due to a missing case handling object types. This bug can be exploited to crash the application or even execute arbitrary code.
CVE-2019-17024: A set of memory safety bugs that showed evidence of memory corruption and could allow execution of arbitrary code.
CVE-2019-17025: Another set of memory safety bugs exclusive to Firefox, which could be exploited to run arbitrary code.
CVE-2019-17021 and CVE-2019-17022 are the moderate severity bugs fixed in Firefox and Firefox ESR.
CVE-2019-17021: A race condition that occurs during the initialization of a new content process leads to a heap address disclosure from the parent process. This bug only affects Windows systems.
CVE-2019-17022: CSS sanitizer fails to escape the HTML tags, which could lead to an XSS vulnerability
CVE-2019-17018, CVE-2019-17019 , and CVE-2019-17020 are the other moderate severity bugs fixed in Firefox, which could retain word suggestions in private browsing mode, execute Python files on download and bypass restrictions of the Content Security Policy respectively.
Mozilla Firefox before version 72.0.1
Mozilla Firefox ESR before 68.4.1
Please refer to this KB Article to apply the patches using SanerNow.